Looking into the crystal ball

It is once again, as the song doesn’t quite say, “the most predictive time of the year.” Not that anybody knows for sure what will be happening even a month from now, never mind six months to a year.

But that does not, and should not, stop organizations from trying. The way to get ahead and stay ahead, especially in online security, is to look ahead.

So here are some of the best guesses about what we will see in 2017 from several dozen vendors and analysts. There are many more than 15 predictions out there, of course, but these are the ones we heard most frequently.

Thinkstock

Internet of malicious things

(Portnox, BitSight, Juniper Networks, HP Enterprise, TrapX Security, Netskope) Internet of Things (IoT) devices –everything from consumer devices to smart meters, medical devices, automobiles and more – have already been conscripted as zombie troops for cyber attackers, due to their limited computing power and the firmware running on them, which in many cases can’t be patched or updated. This will get much worse in 2017, given that too many organizations still aren’t inspecting their most commonly used apps for malware, enabling everything from DDoS attacks to Trojans to serving as entry points into enterprise networks for other attacks like ransomware and APTs.

IoT winners will be those that can code their own solutions to ensure their products are secure.

Thinkstock

Crimeware at your service

(HP Enterprise) Rookie hacktivists and hobby hackers, driven by pop-culture references and increased media attention, will increasingly get into the cybercrime game. They will use off-the-shelf tools for nuisance attacks like web defacement and port scans, plus more damaging attacks through DDoS as a service and Ransomware as a Service (RaaS). While these adversaries won’t have the skills for lateral movement, their attacks could be costly and cause reputational damage to the company brand.

Thinkstock

DDoS: Weapon of mass obstruction

(Symantec, HP Enterprise, BitSight, Cloudflare) DDoS attack firepower in 2016 increased to frightening levels – rising from 400Gbps bandwidth to 1Tbps or more becoming the norm – thanks to millions of IoT devices lacking even basic security. These attacks require specialized protection that very few organizations in the world today can provide. That firepower will be used sometime in 2017 to take down critical infrastructure and even the internet infrastructure of whole countries in support of a physical military attack.

Thinkstock

Increasing cloudiness

(Nubeva, Symantec, enSilo, ZL Technologies) Financial institutions have been slow to adopt the cloud. However, with more regulations, compliance, and better security features in the cloud, more of these companies will no longer be able to ignore its benefits, will start testing the cloud on workloads and move some services beyond just the corporate data center.

More businesses will allow a dispersed workforce to introduce wearables, virtual reality and IoT-connected devices onto the network, supported by cloud applications and solutions.

But enterprises will need to shift their security focus from endpoint devices to users and information across all applications and services to guard against ransomware and other attacks. Cloud Security-as-a-Service will cut the cost of purchasing and maintaining firewalls. However, some will find that the risk of security breaches means they will decide to keep their data “on the ground.”

Thinkstock

Spy vs. Spy

(ThetaRay, Kaspersky Labs, RSAC Advisory Board, Symantec, Fireglass) Cyber espionage, already rampant with Chinese theft of US intellectual property and the OPM hack, plus Russia’s suspected role in seeking to interfere with the US presidential election, will continue to expand across the globe. Drones will be used for espionage and attacks as well, with efforts beginning to hack into drone signals and allow “dronejacking” in a few more years.

As was the case in 2016 with the Trident incident, which leveraged mobile browser vulnerabilities and the latest iOS JPEG zero-day, more espionage campaigns will target mobile, benefiting from the security industry’s struggle to gain full access to mobile operating systems for forensic analysis.

Thinkstock

Hack the vote, the campaign and the candidates

(Portnox, Sonus Networks, BitSight, Area 1 Security, RSAC Advisory Board, CrowdStrike) Expect more Wikileaks-style releases of embarrassing photos and corporate documents, through hacking of SS7 and diameter networks that will allow exploitation of mobile phone location and conversation data. Hacking will become a common technique for opposition research that will trickle down from the presidential election to House, Senate and state contests. The damage to public figures could range from embarrassment, like the hack of the Democratic National Committee, to physical danger from the use of location data to launch a physical attack.

The US response will become more aggressive, to include not just cyber tactics but also diplomatic, law enforcement, economic and other policy means.

Taking terror online

(Portnox, Contrast Security, Kaspersky Labs, TrapX Security, Aperio Systems) Think takedowns of traffic lights, portions of the power grid, water systems, etc. – they might not cause catastrophic damage, but they will disrupt daily life. But in some cases, the damage could be significant, through the use of data forgery.

In response, we will likely see a major retaliatory cyber action from the US government. But because of attribution difficulty with cyberattacks, made even more difficult through the widespread use of misdirection (generally known as false flags) there will be considerable ambiguity about the attacker’s identity.

Thinkstock

Open season on open source

(Black Duck) Open source has become the foundation of global app development because it reduces development costs, promotes innovation, speeds time to market and increases productivity. But hackers have learned that applications are the weak spot in most organizations’ cyber security defenses, and that companies are doing an abysmal job of securing and managing their code, even when patches are available. That means open-source vulnerability exploits deliver a high ROI. And those exploits will increase in 2017 against sites, applications, and IoT devices.

But insurers, while be happy for the added business, won’t be handing out claims money easily. They will begin developing programs that drive better security hygiene, offering incentives for better detection and incident response capabilities, much like health insurance providers with no-smoking policies or discounts for gym memberships.

And, as attacks become more common and damages more widespread, some insurers will cut back their cyber liability offerings.

Catch the phish

(Area 1 Security, Symantec) It is long established that employees are the weakest link in security. Nearly all enterprise hacks begin with phishing, in spite of employee training conducted on security best practices – workers are human, and therefore, will always be fallible. Organizations will reframe the way they approach cybersecurity accordingly.

But they will need to pay closer attention to the rise in popularity of free SSL certifications paired with Google’s recent initiative to label HTTP-only sites as unsafe. That will weaken security standards, driving potential spear-phishing or malware programs.

Ransomware everywhere

(Kaspersky Labs, Contrast Security, Aperio Systems, Exabeam, Arctic Wolf, TrapX Security, enSilo, Netskope, Fidelis Security) Ransomware will continue to increase, evolve, get stealthier and use automation to attack the cloud, medical devices like MRI machines pace makers, critical infrastructure and mission-critical servers. It is a superior “economic model” for cyber criminals, since organizations understand that it would cost a small fortune to shut down an entire operation, so they are more likely to give in to the extortion.

“Ransomworms” will also rise – malware that not only encrypts files but leaves code in place to guarantee some repeat business.

However, the unlikely “trust” relationship between ransomware victims and attackers – based on the assumption that payment will result in the return of data – will decline as a lesser grade of criminal enters the space.

Thinkstock

The long privacy goodbye

(Kaspersky, Contrast Security, Venafi) Government surveillance will increase and become more intrusive, through use of the kind of tracking and targeting tools used in advertising to monitor alleged activists and dissidents.

In the wake of the conflict between Apple and the FBI, there will also be increased attacks on encryption by intelligence agencies, which will argue that encryption keys are necessary to find and confront terrorists. 2017 will be a pivotal year in the 25-plus-year debate about information, privacy, and security.

Thinkstock

Gentlemen, start your attack surfaces

(Symantec, Black Duck) Modern cars, typically containing more than 100 million lines of code, are increasingly intelligent, automated, and most importantly, Internet-connected. But carmakers don't know exactly what software is inside their vehicles because it comes from third parties and almost certainly contains open-source components with security vulnerabilities – a target-rich environment for hackers.

This will likely lead to a large-scale automobile hack, which could include cars held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorized surveillance and intelligence gathering, or other threats. This will also lead to a legal battle over liability between the software vendor and auto manufacturer.

Thinkstock

Faking it

(Datavisor) Fakers are already a problem – users who download your app, log in regularly and even make purchases might not be real. And with the decreased effectiveness of CAPTCHAs, SMS and email verification are also becoming an easy barrier to overcome for fraudsters opening fake accounts. This will get worse in 2017 as advertisers and ad platforms adopt more sophisticated tracking technology and fraudsters become more experienced at mimicking the behavior of real users.

In response, there will be increased scrutiny on account openings, with demands for additional proof that a new account is legitimate.

Thinkstock

Skills gap? Use automation

(Tufin, Juniper Networks) With the security skills gap approaching Grand Canyon dimensions, organizations will look to automation so skilled workers won’t have to waste time on manual, mundane responsibilities and regularly performed duties. This should give IT pros more time to focus on what really matters.

Automation will also help the pros to do their jobs more effectively. They will receive fewer notifications with more relevance, relieving them of the manual task of hunting through a sea of alerts to find the truly malicious ones.